Bug 585331 (CVE-2010-1157)
| Summary: | CVE-2010-1157 tomcat: information disclosure in authentication headers | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Vincent Danen <vdanen> |
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
| Status: | CLOSED WONTFIX | QA Contact: | |
| Severity: | low | Docs Contact: | |
| Priority: | low | ||
| Version: | unspecified | CC: | akurtako, awnuk, devrim, dknox, dwalluck, jlieskov, jsherril, mharmsen, mjc, pcheung, rafaels, sochotni, tromey |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2010-07-13 09:43:22 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 585369, 585370, 606822 | ||
| Bug Blocks: | |||
|
Description
Vincent Danen
2010-04-23 18:03:34 UTC
Created tomcat6 tracking bugs for this issue Affects: fedora-all [#585369] Created tomcat5 tracking bugs for this issue Affects: fedora-all [#585370] This was corrected upstream via the tomcat 6.0.28 release: http://tomcat.apache.org/security-6.html And tomcat 5.5.30: http://tomcat.apache.org/security-5.html I wonder if we should backport this patch. Information leak is limited to request host name/ip and port and hence is only relevant to setups where requests are proxied to internal tomcat instance(s) from publicly-accessible host. Leak can be avoided by configuring <realm-name> in login configuration properly. This should already be done in deployments where such leak would matter. The patch does not seem to offer an easy way back to current behaviour where request host:port is used as default realm for deployments where that behaviour is expected and possibly relied on. This issue has fairly limited impact and can be avoided with proper configuration. The upstream patch changes the default realm name generated by Tomcat. As the original default may be expected in some deployments, there is no plan to backport a fix for this issue to the Tomcat versions included in already-released product versions. Future product versions providing tomcat packages based on an upstream version containing this patch may offer a new default value. For current deployments, the information leak can be avoided by making sure all configurations using HTTP BASIC or DIGEST authentication have a realm configured in the login-config section of web.xml. Adding the following to all login-config sections that do not define a realm is equivalent to applying the upstream patch: <realm-name>Authentication required</realm-name> Configurations that already have a realm-name specified are not affected by this issue. Statement: The risks associated with fixing this flaw are greater than the low severity security risk. We therefore have no plans to fix this flaw. The information leak can be avoided by adjusting the configuration to always specify a realm-name. This issue has been addressed in following products: JBEAP 4.2.0 for RHEL 4 JBEAP 4.3.0 for RHEL 4 JBEAP 4.2.0 for RHEL 5 JBEAP 4.3.0 for RHEL 5 Via RHSA-2010:0584 https://rhn.redhat.com/errata/RHSA-2010-0584.html This issue has been addressed in following products: JBoss Enterprise Web Server 1.0 Via RHSA-2011:0896 https://rhn.redhat.com/errata/RHSA-2011-0896.html This issue has been addressed in following products: JBEWS 1.0 for RHEL 5 JBEWS 1.0 for RHEL 4 JBEWS 1 for RHEL 6 Via RHSA-2011:0897 https://rhn.redhat.com/errata/RHSA-2011-0897.html |